Not logged in. · Lost password · Register
Forum: MatriX RSS
Avatar
avs099 #1
Member since Oct 2010 · 2 posts
Group memberships: Members
Show profile · Link to this post
Subject: GSSAPI is not working for me...
Hello,

I'm trying to evaluate MatriX for our project, and the requirement is to connect to Openfire Server via SSO. I ran sample MiniClient sample, added UseSso=true to the "Connect" button handler - but it does not work. After xmppClient_OnBeforeSasl() nothing happens. I ran Wireshark trace as well, and there is no message coming from my application to the server. Log data is attached.

SEND: <stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" to="client-dev" version="1.0" >
RECV: <stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="client-dev" id="b1fb4667" xml:lang="en" version="1.0" >
RECV: <stream:features xmlns:stream="http://etherx.jabber.org/streams">
  <mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
    <mechanism>GSSAPI</mechanism>
  </mechanisms>
  <auth xmlns="http://jabber.org/features/iq-auth" />
  <register xmlns="http://jabber.org/features/iq-register" />
</stream:features>


What am I doing wrong? I also tried console application & sample code from MatrixSDK from your website - it's not working either.

Thank you.
Avatar
Alex #2
Member since Feb 2003 · 4328 posts · Location: Germany
Group memberships: Administrators, Members
Show profile · Link to this post
are you logged on to a XMPP domain when running this code?
Do you see any Exception in the Console Window or do you get one of the error events of the XmppClient?

Alex
Avatar
avs099 #3
Member since Oct 2010 · 2 posts
Group memberships: Members
Show profile · Link to this post
XMPP domain - do you mean AD domain? If so - then yes, I'm logged in.

xmppClient does not return ANYTHING - it just "stops" right after BeforeSasl event... Server sends message with list of mechanisms to choose from - and xmppClient does not reply to this message..

Any ideas?..

Thanks!
Avatar
Alex #4
Member since Feb 2003 · 4328 posts · Location: Germany
Group memberships: Administrators, Members
Show profile · Link to this post
Quote by avs099:
XMPP domain - do you mean AD domain? If so - then yes, I'm logged in.

yes a AD-Domain

Quote by avs099:
xmppClient does not return ANYTHING - it just "stops" right after BeforeSasl event... Server sends message with list of mechanisms to choose from - and xmppClient does not reply to this message..
after it gets the GSSAPI mechanism and UseSso it true it starts to initialize the GSSAPI mechanism with the kerberos Apis and send a token to the server. This is missing in your log so I assume there is a problem with SSPI.
Can you look if there are any exceptions in the degugger and subscribe to all MatriX Error events and the OnClose event?

Alex
Avatar
Alex #5
Member since Feb 2003 · 4328 posts · Location: Germany
Group memberships: Administrators, Members
Show profile · Link to this post
In reply to post #1
Quote by avs099:
I ran sample MiniClient sample, added UseSso=true to the "Connect" button handler - but it does not work. After xmppClient_OnBeforeSasl() nothing happens.

depending on the server you use you also have to set the XmppDomain property. Because this is used to build the kerberos principal.

Alex
Avatar
Alex #6
Member since Feb 2003 · 4328 posts · Location: Germany
Group memberships: Administrators, Members
Show profile · Link to this post
I have uploaded a new release with some more SSPI error messages to: http://www.ag-software.net/downloads.html
The OnError event should give you some more info.

Alex
Avatar
netx #7
Member since Oct 2010 · 3 posts
Group memberships: Members
Show profile · Link to this post
Hello,

I have same problem in using GSSAPI mechanism. exception message in OnError event is "InitializeSecurityContext failed. ReturnCode: 2148074241"
Avatar
Alex #8
Member since Feb 2003 · 4328 posts · Location: Germany
Group memberships: Administrators, Members
Show profile · Link to this post
This error is SEC_E_INVALID_HANDLE
Are you sure that your server and Kerberos setup is correct?
Avatar
netx #9
Member since Oct 2010 · 3 posts
Group memberships: Members
Show profile · Link to this post
the server side is correct. I've tried to run openfire+spark (with SSO) and this works well
Avatar
Alex #10
Member since Feb 2003 · 4328 posts · Location: Germany
Group memberships: Administrators, Members
Show profile · Link to this post
can you please post a Xml log from Spark?
Avatar
netx #11
Member since Oct 2010 · 3 posts
Group memberships: Members
Show profile · Link to this post
Quote by Alex:
can you please post a Xml log from Spark?

do you mean this xml log?

SEND: <stream:stream to="openfire-server" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
RECV: <?xml version='1.0' encoding='UTF-8' ?>  <stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client"
 from="openfire-server" id="990c9565" xml:lang="en" version="1.0">
RECV: <stream:features> <mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"> <mechanism> GSSAPI </mechanism> </mechanisms>
 <auth xmlns="http://jabber.org/features/iq-auth"/> <register xmlns="http://jabber.org/features/iq-register"/> </stream:features>
SEND: <auth mechanism="GSSAPI" xmlns="urn:ietf:params:xml:ns:xmpp-sasl">            [data in base64] </auth>
RECV: <challenge xmlns="urn:ietf:params:xml:ns:xmpp-sasl"> = </challenge>
SEND: <response xmlns="urn:ietf:params:xml:ns:xmpp-sasl"> = </response>
SEND: <challenge xmlns="urn:ietf:params:xml:ns:xmpp-sasl"> [data in base64] </challenge>
RECV: <response xmlns="urn:ietf:params:xml:ns:xmpp-sasl"> [data in base64] </response>
RECV: <success xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/>
Avatar
Alex #12
Member since Feb 2003 · 4328 posts · Location: Germany
Group memberships: Administrators, Members
Show profile · Link to this post
yes, can you please post more info about your server setup.

  • what is the domain name you are logged into.
  • what is the xmpp server domain of your openfire server. According to your log it is: openfire-server.
  • what is your kerberos realm.

Alex
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Forum: MatriX RSS